Vendor Management Policy - Build Trust Center

← Back to Trust Center

Vendor Management Policy

Standards for evaluating and managing third-party vendors

Other Policies: Encryption Policy Risk Assessment Policy Incident Response Plan Data Retention Policy Data Protection Policy Data Classification Policy Information Security Policy Acceptable Use Policy

Vendor Management Policy

Purpose

To ensure third-party vendors meet our security and compliance requirements.

Vendor Assessment

Initial Assessment

Security questionnaire required
Review of security certifications
Risk assessment based on data access

Ongoing Monitoring

Annual security review
Continuous monitoring of critical vendors
Incident notification requirements

Contractual Requirements

Data protection agreements
Right to audit clause
Breach notification within 24 hours
Liability and indemnification terms

Vendor Categories

Critical Vendors

Access to customer data
Core infrastructure providers
Quarterly reviews required

Standard Vendors

Limited data access
Non-critical services
Annual reviews required

Low Risk Vendors

No data access
Public information only
Simplified assessment process